Myth: Cybersecurity Is Too Expensive for Healthcare Providers

Political uncertainties, diminishing reimbursements for services, and skyrocketing professional liability premiums are squeezing all parts of the healthcare services market. In this environment, healthcare organizations and providers are reluctant to spend more for services that they deem to be extraneous or unnecessary. Many of those providers and organizations perceive cybersecurity precautions to be too expensive and they fail to erect even simple defenses against cyberattacks, or to insure themselves against losses and liabilities associated with those attacks.

With respect to insurance, the value of cybersecurity in healthcare is verified by a simple cost-benefit analysis that applies to every healthcare organization. Healthcare cybersecurity insurance costs are a function of the size of the healthcare organization, its annual revenues, and its cyber risk exposure.

A medical center with annual revenues of $25 million might incur an annual premium of under $15,000, whereas a larger hospital with annual revenues of more than $150 million might incur an annual premium of over $40,000. Individual physician offices with annual revenues between $500,00 and $2 million will see premiums that currently range from $650 to $1,800.

To the extent that these insurance premium charges seem high, consider the cost and exposure of a successful data breach. In 2016, healthcare organizations faced an average cost of $355 per compromised record when they suffered a cyberattack. With this average, an annual hospital cybersecurity insurance premium of $40,000 is roughly equivalent to the cost of losing 112 patient records. For hospital information systems that include tens of thousands of records, that premium looks very reasonable.

Beyond the tangible per-record costs of a hospital cyberattack, the intangible losses can be far greater and can impact the long-term viability of a healthcare center itself. The center feels the effects in at least five different areas: its finances, reputation, patient safety, availability of IT services that tie in with patient care, and privacy of patient and caregiver information. Hospitals struggle to maintain existing revenue streams and to develop new sources of income. Reputation and ratings go a long way toward creating a hospital that patients trust. Cybersecurity insurance cannot immediately protect a reputation when a cyberattack on a hospital is successful, but it can help to get that hospital back into good standing in its community by facilitating a smooth and fast response to the attack.

Beyond cybersecurity insurance, healthcare organizations and physicians can implement a number of protective mechanisms at little or no extra cost to their organizations or practices. Those cybersecurity measures include robust password policies, two-factor authentication for logins to networks and information systems, limiting applications on a system to only those that have been verified and approved by a central cybersecurity review team, ensuring that all software is fully up-to-date with patches and bug fixes, and regular education and training of employees on the need to adhere to cybersecurity policies.

As newer technologies, such as IoT medical devices come online, the healthcare organization will benefit from surveying those technologies and devices for cybersecurity risks, establishing a risk management protocol, and implementing a zero-tolerance policy for deviations from that protocol. All of these measures can be implemented at little or no additional cost to the organization.

The worst position for any healthcare organization to find itself in is trying to justify its failure to adopt cybersecurity measures after it has suffered a data breach. No organization can prevent every breach, but cybersecurity insurance is the final backstop that can save thousands or even millions of dollars of revenue for a medical center that has fallen victim to cyberattackers. Few, if any healthcare organizations that have found themselves in this position would argue that cybersecurity measures and healthcare cybersecurity insurance are too expensive.